Simplify password management, improve security, and log in seamlessly with an Identity Provider (IdP). This article describes setting up your IdP and enabling SSO as your authentication protocol when logging into Atera.
For information on enabling SSO via Microsoft Azure AD, see Single sign-on with Microsoft Azure AD
Note: Single sign-on with your IdP is available to Atera Enterprise plan subscribers.
Note: Single sign-on with your IdP is available to Atera Superpower plan subscribers.
Overview
We'll provide a comprehensive explanation of the following, using Okta as our IdP example.
- Set up an Identity Provider (IdP): You need to have an IdP (e.g., Okta) that supports OpenID Connect (OIDC). The IdP is responsible for authenticating users and providing identity data to the applications.
- Create user accounts within the IdP: Before connecting Atera to your identity provider, make sure the desired people have valid accounts in the identity provider. This is essential for a successful SSO connection.
- Register Atera with the IdP: Once done, you'll get a client ID and a client secret which your application will use to authenticate itself with the IdP.
- Assign Atera to users: This guarantees that only authorized individuals can access Atera through the SSO process. This not only dictates authorization but is instrumental in enabling access to Atera via the SSO process. By assigning Atera to specific users within the IdP, you ensure that the right individuals can log in through SSO. Without this assignment, even authenticated users would lack the necessary access to log in to Atera using their single sign-on credentials.
- Enable single sign-on (SSO) within Atera: You will then configure Atera with details about this OIDC connection. To ensure SSO functions correctly, Popups must be enabled in your browser.
Create an Okta account
All account users need to download the Okta Verify app from the App Store (iPhone and iPad) or Google Play (Android devices).
To sign up to Okta:
1. Go to Okta
2. Enter your first name, last name, email, phone number, and country/region.
3. Convince our silicon overlords you're not one of them by ticking the box I'm not a robot (you might still have to play the classic game 'I spy with my little eye' — fingers crossed you're a fan of adventure and discovery, like looking for furry friends or hunting for fire hydrants and motorcycles).
4. After passing the Voight-Kampff test, click Get started. An activation email is sent to your email address.
5. Open it and click Activate Okta Account. You are redirected to Okta.
Register Atera in Okta
To register Atera in Okta:
2. Click Admin (top-right corner).
3. From the Applications dropdown, select Applications. Then click Create App Integration.
4. For the Sign-in method, select OIDC - OpenID Connect.
5. For the Application type, select Web application. Then click Next.
6. Enter the General Settings for your new app integration:
- App integration name: Enter your app integration name (e.g., Atera).
-
Sign-in redirect URI: Enter this Auth0 tenant information callback URL:
- https://auth.atera.com/login/callback
- Assignments: Select your preferred controlled access option.
7. Click Save.
You've integrated Atera into your IdP successfully.
Note: When activating SSO in Atera, you'll need to provide the Domain name(s), Issuer URI, Client ID, and Client Secret.
Create a user
Note:
- You cannot assign Atera to the first user account that was set up during the initialization of your IdP account.
- Please ensure that the user name (including domain), first name, and last name align with the user's credentials within Atera. Otherwise, the connection will fail.
To create a user:
1. Go to Directory > People > Add person.
The Add Person window appears.
2. Fill out the user details.
Note: The username is the email the user will enter to sign in.
3. Click Save.
4. Inform the user so that they can sign in via an activation email. The user will appear on the People page.
Assign Atera to a user
Note: You cannot assign the first user account that was set up during the initialization of your IdP account. To create another user, see Create a user
To assign Atera to a user:
1. Go to Directory > People.
2. Select the user.
3. Click Assign Applications.
4. Click Assign.
5. Fill out the user information. Then click Save and Go Back.
6. Click Done. The application (Atera) is assigned to the user.
Copy Client ID and Client Secret
To copy your Client ID and Client Secret:
1. Go to Applications > Applications > [App name] (e.g., Atera).
The application page appears.
2. Click the copy to clipboard icon () to copy your Client ID and Client Secret.
3. Copy and paste these into their respective fields when setting up your SSO authentication (see Activate SSO in Atera).
Activate SSO in Atera
Note:
- Full admin permissions are required to activate SSO.
- Activating SSO will disable 2FA for all users on the account.
To activate single sign-on for your account:
1. From Admin (on the sidebar), click Security and Authentication.
The Security and Authentication page appears.
2. Click the Authentication dropdown icon ().
3. Select the Single sign-on (SSO) radio button.
4. Select OpenID Connect (OIDC) from the SSO protocol dropdown menu.
5. Enter your OIDC details:
-
Domain names: Include the domain name(s) (i.e., "[YOUR_DOMAIN]".com ).
Note:
- Replace "[YOUR_DOMAIN]" with your company or IdP domain.
- When entering multiple domains, use a comma to separate them.
-
Issuer URI: "https://[YOUR_DOMAIN].okta.com/.well-known/openid-configuration"
Note: Replace "[YOUR_DOMAIN]" with your domain and ensure the URI doesn't contain "admin". - Client ID: The confidential identifier that the IdP assigns to your application to recognize it during the authentication process. Get Client ID
- Client Secret: The confidential key held by the application — used in conjunction with the client ID — to authenticate the application with the Identity Provider (IdP) during secure transactions. Get Client Secret
- Redirect URL: "https://auth.atera.com/login/callback"
6. Click Save.
SSO is enabled for your account.
Sign in with SSO
Once you've registered Atera in Okta, added users, assigned Atera to your users, and enabled SSO in Atera, it's time for you and your colleagues to experience the magic of SSO.
To sign in to Atera via SSO:
2. Enter your email address. Then click Continue. You are redirected to Okta.
3. Enter your username (email). Then click Next.
4. Enter your password. Then click Verify.
5. Under Okta Verify, click Set up. And get your phone ready!
6. Follow the on-screen instructions.
Deactivate SSO in Atera
Two-factor authentication is enabled by default. If you've enabled SSO, and you'd like to return to two-factor authentication, you can remove your SSO connection.
Note:
- Full admin permissions are required to deactivate SSO.
- Removing your SSO connection will delete all related information from Atera (Domain name(s), Issuer URI, Client ID, and Client Secret).
To deactivate SSO:
1. From Admin (on the sidebar), click Security and Authentication.
The Security and Authentication page appears.
2. Click the Authentication dropdown icon ().
3. Select the Two-factor authentication (2FA) radio button. A confirmation window appears.
4. Click Enable authentication app.
Two-factor authentication is enabled for all users on your account.